Integris Health is facing some class action lawsuits because of a recent cyberattack that resulted in a data breach. Although there’s no confirmation yet from Integris Health as to the number of individuals impacted, the threat actor responsible for the attack professed to have stolen the information of about 2 million individuals and sent emails to the patients directly on December 24, 2023, requiring them to pay because Integris Health did not pay the ransom.
William Federman of the law agency Federman & Sherman filed the Zinck et al v. Integris Health Inc. lawsuit in the U.S. District Court for the Western District of Oklahoma for plaintiff Aaron Zinck and likewise situated persons. The lawsuit claims that Integris Health did not use reasonable and proper security procedures to secure patient information, despite knowing the risk of ransomware and other cyberattacks on hospitals.
Federman stated that Integris Health lacked transparency concerning the cyberattack and data breach when no announcement was made about the cyberattack until the hackers directly contacted patients. Integris Health mentioned in its patient notification that the threat actor acquired access to its network on November 28, 2023. Federman claims Integris Health concealed important data that could have helped the plaintiff and class members secure their personal data against fraud. Although it is common for healthcare companies to provide free credit monitoring and identity theft protection services in case of the theft of sensitive information, there were no such services offered.
The lawsuit wants a jury trial, attorney’s expenses, and an award of damages. Some other lawsuits were also filed in the last couple of days that make the same statements, which include Civi et al v. Integris Health Inc., Gregory Leeb v. Integris Health, and Joseph E Bointy v. Integris Health.
Threat Actors Contacted Integris Health Patients Directly Following the Cyberattack
Integris Health, a not-for-profit health system in Oklahoma, has announced that a cyberattack affected its internal systems and an unauthorized third party stole patient information. Integris Health manages 15 hospitals across Oklahoma including many centers of excellence, specialty clinics, and family care practices. Integris Health’s notice to the public was posted on its website regarding the data privacy incident on December 24, 2023. After discovering the suspicious activity, Integris Health worked quickly to stop the unauthorized access. It also investigated the nature and extent of the data breach and found out that the attacker acquired unauthorized access on November 28, 2023 and stole sensitive data without encrypting the files.
A review of the breached files by Integris Health revealed the compromise of the following information: including names, contact details, Social Security numbers, demographic data, and dates of birth. No health data, usernames/passwords, financial data, or driver’s licenses were compromised. On December 24, 2023, Integris Health began sending notifications to some patients after a group claimed it was behind the cyberattack. The threat group mentioned that it has the data of patients including names, addresses, telephone numbers, dates of birth, insurance details, employer data, and SSNs. It also said that it would post the information for sale on the dark web. The threat group contacted the patients and told them to pay an amount before January 5, 2024 if they want to stop the sale of their information. After the said date, the whole database will be offered to data brokers. The threat actor also sent a sample of the stolen patient data as proof, which some patients have affirmed to be legit.
The threat actor says that the PHI of over 2 million patients of Integris Health was stolen. The patients are being contacted and asked to pay the ransom because Integris Health did not pay for the deletion of the information. The patients were given a Tor link to send their payments of $3 to check out their stolen information or $50 to delete the data. The Bleeping Computer reported that the Tor extortion website has 4,674,000 records, but the uniqueness of those records is uncertain. Integris Health has not released any information regarding the number of individuals affected.
There were some cyberattacks already reported that involved the contacting of individual patients directly by the threat actors. Because the breached healthcare provider did not pay the ransom, the attacker contacted the patients.
Early this year, threat actors contacted the patients of a plastic surgery clinic and told them to pay an amount to delete their sensitive pictures and other data from the public domain.
The Hunters International threat group communicated with the Fred Hutchinson Cancer Center patients and told them to pay $50 to have their exposed information deleted, if not, the data will be made available for sale. The data theft occurred during a cyberattack around the weekend of Thanksgiving Day. Even if the victims pay the $50, there is no guarantee that the stolen information will be deleted. Those who paid the demand could still suffer from other extortion attempts and/or the selling of their sensitive data. Affected individuals are advised not to communicate, respond, call the sender, or even go along with any of the directions or click links.